Search Our Website:

On April 6, 2023, the U.S. Department of Treasury released its Illicit Finance Risk Assessment of Decentralized Finance protocol, which, as the name suggests, identifies those illicit threats and vulnerabilities to which Treasury believes the decentralized finance (DeFi) market is most susceptible. Touting it as the world’s first, Treasury’s risk assessment comes amidst the Biden administration’s efforts to impose a broader regulatory framework for digital assets. Through the risk assessment, Treasury aims to identify abuses and vulnerabilities unique to DeFi services and address the gaps in anti-money laundering (AML) and countering the financing of terrorism (CFT) rules which separate DeFi platforms from “traditional” financial institutions.

In light of the positions taken by Treasury in its risk assessment, companies should carefully evaluate their risk mitigation strategies and ensure compliance with AML, CFT, and Treasury’s Office of Foreign Assets Control (OFAC) sanctions regulations to assist in preventing illicit actors from abusing DeFi services.

What is DeFi (According to Treasury)?

Treasury takes the position that there is no generally accepted definition of DeFi among industry participants; however, it broadly refers to virtual asset protocols and services that purport to allow for some form of automated peer-to-peer (P2P) transactions, often through the use of self-executing code known as “smart contracts” based on blockchain technology. Treasury further takes the position that “[a]t times, the use of the term [decentralized finance] reflects marketing more than reality.”

Risks Associated with DeFi

As with traditional financial markets and institutions, illicit actors, including criminals, scammers, and nation-state cyber actors, have exploited cybersecurity weaknesses to abuse DeFi services. In particular, the primary risks associated with DeFi, according to Treasury, are:

  • Money Laundering: Actors will exchange virtual assets for others that are easier to use in the industry and/or less traceable; send virtual assets through mixers; and place virtual assets in liquidity pools as a form of layering.
  • Ransomware: Actors can use DeFi services to exchange virtual assets obtained from ransomware-related payments and utilize decentralized mixers to obfuscate the movement of funds.
  • Theft: Actors exploit vulnerabilities in the smart contracts governing DeFi services to steal virtual assets, taking advantage of the complexity of cross-chain functionality and the open-source nature of DeFi services.
  • Fraud and Scams: Actors utilize various techniques (g., “rug pulls” or “pig butchering”) that result in stolen investment funds from unknowing victims.
  • Drug Trafficking: Drug trafficking organizations (DTOs) have begun using virtual assets to launder money. However, Treasury admits that the drug proceeds generated via DeFi services is low in comparison to the cash-based street level sales that DTOs secure.

DeFi’s Place Among Existing Regulatory Regimes

The most noteworthy position taken by Treasury in the risk assessment appears to be that DeFi services, depending on the nature of the activities in which they engage, are, in fact, subject to the requirements of many of the existing federal regulatory regimes. Despite what it refers to as “[i]ndustry claims [of] insufficient regulatory clarity…,” Treasury takes the position that “[t]he degree to which a service is decentralized has no bearing on [a company’s] obligations so long as the service” falls within a regulatory jurisdiction.  Further, Treasury asserts that this position holds true regardless of whether the question is whether a DeFi services must register with the Commodity Futures Trading Commission (CFTC) or satisfy the AML/CFT obligations of the Bank Secrecy Act (BSA)—it all depends on the nature of the activities undertaken by the DeFi service.

By way of an example, the BSA imposes requirements on financial institutions to aid U.S. government agencies in detecting and preventing money laundering. Treasury states in the risk assessment that whether or not a DeFi service is truly decentralized is irrelevant for purposes of complying with BSA obligations, and that any DeFi service that functions as a financial institution, as defined by the BSA, will be required to comply with BSA obligations, including AML/CFT obligations.

Given Treasury’s position, the BSA could now require DeFi institutions to, among other obligations: (1) file reports of transactions exceeding $10,000; (2) identify and assess risk of customers through Know Your Customer (KYC) rules; and (3) report suspicious activity (SARs) that might signify money laundering, tax evasion, and other criminal activities.    

In addition to the requirements of the BSA, the risk assessment specifically states that DeFi services that are U.S. persons are required to comply with economic sanctions programs administered and enforced by OFAC, depending on the nature of the activities being undertaken.  These sanctions compliance obligations are the same regardless of whether a transaction is in virtual assets or traditional currency, meaning institutions that deal solely with DeFi services cannot escape OFAC requirements, including the prohibition on business with sanctioned entities and the blocking/freezing of client assets. In fact, and while some have theorized that individuals and/or entities would begin transitioning to crypto and blockchain to evade sanctions and OFAC regulations, Treasury acknowledges in the risk assessment that DeFi remains small in comparison to the overall virtual asset ecosystem.  Most illicit activities still occur using traditional assets and fiat currency. 

Key Takeaways

Despite the questions and concerns raised by industry participants, the risk assessment makes clear that Treasury believes the regulatory framework already exists for proper enforcement of financial regulations as they relate to DeFi services. While leaving room to “engage with developers” of DeFi software and foreign partners, Treasury does not appear to be advocating any significant policy revisions or new regulatory regimes. Instead, Treasury appears to take the position that the regulation of DeFi services, and any illicit activities which may take place on their platforms, can be accomplished, at least initially, utilizing the existing laws/regulations already on the books—including the BSA and OFAC regulations.  

DeFi is a complex system that will continue to evolve and will require controls in place to mitigate illicit criminal activity. Although the risk assessment does not promulgate new regulations, it does make clear Treasury’s position that current federal regulatory regimes, including the BSA and OFAC regulations, apply to the financial services industries regardless of whether or not a particular service is decentralized. Failure to comply could subject a company to regulatory enforcement and vulnerability to illicit actors in the digital asset world.

Buchanan’s Blockchain and Digital Assets Practice Group is available to help review and revise corporate risk mitigation programs and answer any questions regarding Treasury’s DeFi risk assessment protocol.